fix: add pasword validation

aws · Aug 13, 2021 · 08bcae4 · 08bcae4
1 parent fc7fc68
commit 08bcae4
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 34 deletions.
diff --git a/packages/aws-rfdk/lib/deadline/lib/repository.ts b/packages/aws-rfdk/lib/deadline/lib/repository.ts
@@ -286,17 +286,19 @@ export interface RepositorySecurityGroupsOptions {
 export interface SecretsManagementProps {
   /**
    * Whether or not to enable the Secrets Management feature.
-   * @default true
    */
-  readonly enabled?: boolean;
+  readonly enabled: boolean;
+
   /**
    * A Secret containing the username and password to use for the admin role.
    * The contents of this secret must be a JSON document with the keys "username" and "password". ex:
    *     {
    *         "username": <admin user name>,
    *         "password": <admin user password>,
    *     }
-   * Password should contain at least one lowercase letter, one uppercase letter, one symbol and one number.
+   * Password should be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one number.
+   * In the case when the password does not meet the requirements, the repository construct will fail to deploy.
+   * It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.
    *
    * @default: A random username and password will be generated in a Secret with ID `SMAdminUser` and will need to be retrieved from AWS Secrets Manager if it is needed
    */
@@ -427,7 +429,7 @@ export interface RepositoryProps {
    * https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/secrets-management/deadline-secrets-management.html
    * @default: Secrets Management will be enabled and a username and password will be automatically generated if none are supplied.
    */
-  readonly secretsManagementSettings?: SecretsManagementProps
+  readonly secretsManagementSettings?: SecretsManagementProps;
 }
 
 /**
@@ -518,6 +520,11 @@ export class Repository extends Construct implements IRepository {
    */
   private static REPOSITORY_OWNER = { uid: 1000, gid: 1000 };
 
+  /**
+   * Default username for auto generated admin credentials in Secret Manager.
+   */
+  private static DEFAULT_SECRETS_MANAGEMENT_USERNAME: string = 'admin';
+
   /**
    * @inheritdoc
    */
@@ -552,7 +559,7 @@ export class Repository extends Construct implements IRepository {
   /**
    * Deadline Secrets Management settings.
    */
-  public readonly secretsManagementSettings: SecretsManagementProps
+  public readonly secretsManagementSettings: SecretsManagementProps;
 
   constructor(scope: Construct, id: string, props: RepositoryProps) {
     super(scope, id);
@@ -576,15 +583,15 @@ export class Repository extends Construct implements IRepository {
       enabled: props.secretsManagementSettings?.enabled ?? true,
       credentials: props.secretsManagementSettings?.credentials ??
         ((props.secretsManagementSettings?.enabled ?? true) ? new Secret(this, 'SMAdminUser', {
-          description: 'Admin credentials for Secret Management',
+          description: 'Admin credentials for Deadline Secrets Management',
           generateSecretString: {
-            excludeCharacters: '\"$&\'()-/<>[\\]\`{|}',
+            excludeCharacters: '\"$&\'()/<>[\\]\`{|}',
             includeSpace: false,
             passwordLength: 24,
             requireEachIncludedType: true,
 
             generateStringKey: 'password',
-            secretStringTemplate: JSON.stringify({ username: 'admin' }),
+            secretStringTemplate: JSON.stringify({ username: Repository.DEFAULT_SECRETS_MANAGEMENT_USERNAME }),
           },
         }) : undefined),
     };
@@ -999,8 +1006,8 @@ export class Repository extends Construct implements IRepository {
 
     if (this.secretsManagementSettings.enabled) {
       installerArgs.push('-r', Stack.of(this.secretsManagementSettings.credentials ?? this).region);
-      this.secretsManagementSettings.credentials?.grantRead(installerGroup);
-      installerArgs.push('-c', this.secretsManagementSettings.credentials?.secretArn ?? '');
+      this.secretsManagementSettings.credentials!.grantRead(installerGroup);
+      installerArgs.push('-c', this.secretsManagementSettings.credentials!.secretArn ?? '');
     }
 
     if (settings) {

diff --git a/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh b/packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh
@@ -17,11 +17,11 @@ Required arguments:
 
 Optional arguments
   -s Deadline Repository settings file to import.
-  -o The UID[:GID] that this script will chown the Repository files for. If GID is not specified, it defults to be the same as UID."
+  -o The UID[:GID] that this script will chown the Repository files for. If GID is not specified, it defults to be the same as UID.
   -c Secret management admin credentials ARN. If this parameter is specified, secrets management will be enabled.
-  -r Region where stacks are deployed. Required to get secret management credentials.
+  -r Region where stacks are deployed. Required to get secret management credentials."
 
-while getopts "i:p:v:s:o:" opt; do
+while getopts "i:p:v:s:o:c:r:" opt; do
   case $opt in
     i) S3PATH="$OPTARG"
     ;;
@@ -118,29 +118,16 @@ fi
 SECRET_MANAGEMENT_ARG=''
 if [ ! -z "${SECRET_MANAGEMENT_ARN+x}" ]; then
   sudo yum install -y jq
-
   SM_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id=$SECRET_MANAGEMENT_ARN --region=$AWS_REGION)
   SM_SECRET_STRING=$(jq -r '.SecretString' <<< "$SM_SECRET_VALUE")
   SECRET_MANAGEMENT_USER=$(jq -r '.username' <<< "$SM_SECRET_STRING")
   SECRET_MANAGEMENT_PASSWORD=$(jq -r '.password' <<< "$SM_SECRET_STRING")
-
-  len=$(echo ${#SECRET_MANAGEMENT_PASSWORD})
-  if test $len -ge 8 ; then
-      echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [0-9]
-      if test $? -eq 0 ; then
-          echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [A-Z]
-          if test $? -eq 0 ; then
-              echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [a-z]
-              if test $? -eq 0 ; then
-                  echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [~,.,:,@,!,\#,%,*,_,+,-,=,?]
-                  if test $? -eq 0 ; then
-                      SM_STRONG_PASSWORD='true'
-                  fi  
-              fi
-          fi
-      fi
-  fi
-  if [ -z "${SM_STRONG_PASSWORD+x}" ]; then
+  if !([[ ${#SECRET_MANAGEMENT_PASSWORD} -ge 8 ]] && 
+    echo $SECRET_MANAGEMENT_PASSWORD | grep -q [0-9] &&
+    echo $SECRET_MANAGEMENT_PASSWORD | grep -q [a-z] &&
+    echo $SECRET_MANAGEMENT_PASSWORD | grep -q [A-Z] &&
+    echo $SECRET_MANAGEMENT_PASSWORD | grep -q [^[:alnum:]])
+  then
     echo "ERROR: Admin password is too weak. It must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one digit."
     exit 1
   fi

diff --git a/packages/aws-rfdk/lib/deadline/test/repository.test.ts b/packages/aws-rfdk/lib/deadline/test/repository.test.ts
@@ -1289,7 +1289,7 @@ test('secret manager enabled', () => {
   // THEN
   expect(repository.secretsManagementSettings.credentials).toBe(expectedCredentials);
   const installerGroup = repository.node.tryFindChild('Installer') as AutoScalingGroup;
-  expect(installerGroup.userData.render()).toContain(`--installSecretsManagement true ${stack.region} ${expectedCredentials.secretArn}`);
+  expect(installerGroup.userData.render()).toContain(`-r ${stack.region} -c ${expectedCredentials.secretArn}`);
 });
 
 test('secret manager is enabled by default', () => {
@@ -1316,4 +1316,4 @@ test('credentials are undefined when secrets management is disabled', () => {
 
   // THEN
   expect(repository.secretsManagementSettings.credentials).toBeUndefined();
-});
+});