Skip to content

Commit

Permalink
fix: add pasword validation
Browse files Browse the repository at this point in the history
  • Loading branch information
kozlove-aws committed Aug 11, 2021
1 parent fc7fc68 commit edd489d
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 27 deletions.
21 changes: 14 additions & 7 deletions packages/aws-rfdk/lib/deadline/lib/repository.ts
Original file line number Diff line number Diff line change
Expand Up @@ -286,17 +286,19 @@ export interface RepositorySecurityGroupsOptions {
export interface SecretsManagementProps {
/**
* Whether or not to enable the Secrets Management feature.
* @default true
*/
readonly enabled?: boolean;
readonly enabled: boolean;

/**
* A Secret containing the username and password to use for the admin role.
* The contents of this secret must be a JSON document with the keys "username" and "password". ex:
* {
* "username": <admin user name>,
* "password": <admin user password>,
* }
* Password should contain at least one lowercase letter, one uppercase letter, one symbol and one number.
* Password should be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one number.
* In case when password does not meet requirements secret management will be disabled.
* It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.
*
* @default: A random username and password will be generated in a Secret with ID `SMAdminUser` and will need to be retrieved from AWS Secrets Manager if it is needed
*/
Expand Down Expand Up @@ -427,7 +429,7 @@ export interface RepositoryProps {
* https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/secrets-management/deadline-secrets-management.html
* @default: Secrets Management will be enabled and a username and password will be automatically generated if none are supplied.
*/
readonly secretsManagementSettings?: SecretsManagementProps
readonly secretsManagementSettings?: SecretsManagementProps;
}

/**
Expand Down Expand Up @@ -518,6 +520,11 @@ export class Repository extends Construct implements IRepository {
*/
private static REPOSITORY_OWNER = { uid: 1000, gid: 1000 };

/**
* Default username for auto generated admin credentials in Secret Manager.
*/
private static DEFAULT_SECRETS_MANAGEMENT_USERNAME: string = 'admin';

/**
* @inheritdoc
*/
Expand Down Expand Up @@ -552,7 +559,7 @@ export class Repository extends Construct implements IRepository {
/**
* Deadline Secrets Management settings.
*/
public readonly secretsManagementSettings: SecretsManagementProps
public readonly secretsManagementSettings: SecretsManagementProps;

constructor(scope: Construct, id: string, props: RepositoryProps) {
super(scope, id);
Expand All @@ -578,13 +585,13 @@ export class Repository extends Construct implements IRepository {
((props.secretsManagementSettings?.enabled ?? true) ? new Secret(this, 'SMAdminUser', {
description: 'Admin credentials for Secret Management',
generateSecretString: {
excludeCharacters: '\"$&\'()-/<>[\\]\`{|}',
excludeCharacters: '\"$&\'()/<>[\\]\`{|}',
includeSpace: false,
passwordLength: 24,
requireEachIncludedType: true,

generateStringKey: 'password',
secretStringTemplate: JSON.stringify({ username: 'admin' }),
secretStringTemplate: JSON.stringify({ username: Repository.DEFAULT_SECRETS_MANAGEMENT_USERNAME }),
},
}) : undefined),
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,29 +118,16 @@ fi
SECRET_MANAGEMENT_ARG=''
if [ ! -z "${SECRET_MANAGEMENT_ARN+x}" ]; then
sudo yum install -y jq

SM_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id=$SECRET_MANAGEMENT_ARN --region=$AWS_REGION)
SM_SECRET_STRING=$(jq -r '.SecretString' <<< "$SM_SECRET_VALUE")
SECRET_MANAGEMENT_USER=$(jq -r '.username' <<< "$SM_SECRET_STRING")
SECRET_MANAGEMENT_PASSWORD=$(jq -r '.password' <<< "$SM_SECRET_STRING")

len=$(echo ${#SECRET_MANAGEMENT_PASSWORD})
if test $len -ge 8 ; then
echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [0-9]
if test $? -eq 0 ; then
echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [A-Z]
if test $? -eq 0 ; then
echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [a-z]
if test $? -eq 0 ; then
echo "$SECRET_MANAGEMENT_PASSWORD" | grep -q [~,.,:,@,!,\#,%,*,_,+,-,=,?]
if test $? -eq 0 ; then
SM_STRONG_PASSWORD='true'
fi
fi
fi
fi
fi
if [ -z "${SM_STRONG_PASSWORD+x}" ]; then
if !([[ ${#SECRET_MANAGEMENT_PASSWORD} -ge 8 ]] &&
echo $SECRET_MANAGEMENT_PASSWORD | grep -q [0-9] &&
echo $SECRET_MANAGEMENT_PASSWORD | grep -q [a-z] &&
echo $SECRET_MANAGEMENT_PASSWORD | grep -q [A-Z] &&
echo $SECRET_MANAGEMENT_PASSWORD | grep -q [^[:alnum:]])
then
echo "ERROR: Admin password is too weak. It must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one digit."
exit 1
fi
Expand Down
2 changes: 1 addition & 1 deletion packages/aws-rfdk/lib/deadline/test/repository.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1289,7 +1289,7 @@ test('secret manager enabled', () => {
// THEN
expect(repository.secretsManagementSettings.credentials).toBe(expectedCredentials);
const installerGroup = repository.node.tryFindChild('Installer') as AutoScalingGroup;
expect(installerGroup.userData.render()).toContain(`--installSecretsManagement true ${stack.region} ${expectedCredentials.secretArn}`);
expect(installerGroup.userData.render()).toContain(`-r ${stack.region} -c ${expectedCredentials.secretArn}`);
});

test('secret manager is enabled by default', () => {
Expand Down

0 comments on commit edd489d

Please sign in to comment.